nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Security gain from NAT (was: Re: Cool IPv6 Stuff)

From: Donald Stahl <don () calis blacksun org>
Date: Mon, 4 Jun 2007 17:45:42 -0400 (EDT)


Sorry, Owen, but your argument is ridiculous. The original statement was
"[t]here's no security gain from not having real IPs on machines". If
someone said, "there's no security gain from locking your doors", would you
refute it by arguing that there's no security gain from locking your doors
that you don't get from posting armed guards round the clock?
You're argument is equally ridiculous because in order to work the NAT box has to do stateful inspection anyway! 

A better statement would be:
"there's no security gain from locking your doors" (NAT), if you have already posted "armed guards round the clock" (Stateful Inspection)
NAT provides protection in the case where you have a stateful inspection firewall that fails open- something that no serious firewall I have ever seen does. If they aren't doing stateful inspection- then they aren't routing at all (or certainly shouldn't be). 

-Don
Previous By Date Next
Previous By Thread Next

Current thread: